February 01, 2018
Microsoft Corp. v. United States
Territoriality in the Age of the “Cloud”
Later this month, the Supreme Court will hear oral argument regarding the Second Circuit’s decision in United States v. Microsoft Corp., a controversial ruling that highlights the tension between the present-day reality of electronic data that moves rapidly and readily across the globe, and traditional views of evidence as residing within specific national borders.
The underlying dispute in the Microsoft case arose when United States law enforcement officials obtained a warrant pursuant to the Stored Communications Act for the production of an individual’s emails, the content of which was stored on Microsoft’s cloud storage servers in Dublin, Ireland. Enacted in 1986, the SCA provides that, upon a threshold showing by law enforcement authorities, third-party internet service providers must turn over the electronic communications of their customers, including emails. After producing the non-content portion of the requested data (i.e., the metadata), which was stored in the United States, Microsoft moved to quash the remainder of the warrant on the grounds that the content data was located in Ireland, beyond the reach of the United States government. Microsoft argued that requiring it to turn over the emails would constitute an extraterritorial application of the SCA despite the fact that—with just a few clicks from inside of its United States headquarters—it could easily access and disclose the data in the United States.
Although the Magistrate and District Courts ruled in favor of the government, the Second Circuit sided with Microsoft. The court applied the two-part test set forth in the Supreme Court’s 2010 decision in Morrison v. National Australia Bank Ltd., which asks (1) whether Congress intended for the statute to apply extraterritorially, and (2) if not, whether the matter at issue involves a “domestic application” of the statute. With respect to the first prong, the Second Circuit’s decision in Microsoft found (although nobody actually disputed) that the SCA applies only inside the United States, as there is no indication in the statute that Congress intended to override the presumption against the extraterritorial application of U.S. laws.  The Second Circuit also concluded that in drafting the SCA, Congress deliberately used the word “warrant” as a legal term of art that carries “domestic connotations,” thereby limiting the reach of the statute to only those documents that are located exclusively within the borders of the United States. And, the Court rejected the government’s argument that an SCA warrant functions as a hybrid warrant/subpoena that has global reach, noting that the SCA itself references “warrants” and “subpoenas” distinctly and nowhere uses the term “hybrid.”  The court in Microsoft thus found inapplicable the legal precedent that requires a domestic company in receipt of a subpoena to produce documents in its custody and control, even if located abroad. 
With respect to the second prong of the Morrison analysis, the Second Circuit panel in the Microsoft case concluded that requiring Microsoft to produce the email content that was stored on servers in Ireland would constitute an extraterritorial application of the SCA. In brief, the Court reasoned as follows: because the focus of the SCA is user privacy and the invasion of the user’s privacy takes place where the user’s protected content is stored—in this case, in the Dublin data-center—the information was out of bounds, “regardless of the customer’s location and regardless of Microsoft’s home in the United States”  The Court rejected the government’s argument that, even if the focus of the SCA were user privacy, the invasion of privacy occurs in the United States, where the documents are accessed by a Microsoft employee and then disclosed to law enforcement, rather than where the documents are stored. Having lost in its efforts to obtain the email content that was stored on a server in Ireland, the government petitioned for a rehearing en banc, which was narrowly denied by a 4-4 vote, with the en banc court producing four separate, often vehement dissents.
The Second Circuit’s controversial decision lays bare the challenge of applying old laws to new technology. The SCA was crafted on the assumption that information sought is either within the United States’ borders (and therefore within the Government’s reach), or outside the United States’ borders (and therefore outside the Government’s reach). But in today’s digital era, this assumption is no longer accurate. As noted in several briefs filed during the course of the litigation, a single email can be in several places at once because internet service providers often split data into “shards” that are stored in multiple nations simultaneously.  Internet service providers also have the ability to move data around the world from day to day according to network demands (or for no reason at all). Given this new reality, a statutory framework that focuses on the precise geographic “location” of electronic data storage is, as the United Kingdom argues in its amicus brief, “unrealistic and unworkable.”
Simply put, the SCA was never meant to, and clearly fails to, address the intangible nature of modern data. Indeed, the only thing everyone—including Congress—seems to agree on is that the SCA is more than ripe for a statutory fix. To that end, Congress is already considering legislative amendments to the very provisions of the SCA at issue in the case.  Despite this potential, albeit speculative, legislative rescue and despite the absence of any circuit split on the issue, the Supreme Court granted certiorari on the Microsoft case, likely in recognition of the exigencies faced by law enforcement as a result of the panel’s ruling. As was emphasized by several judges dissenting in the denial of a rehearing en banc, the panel’s ruling “indisputably, and severely, restricted ‘an essential investigative tool used thousands of times a year [in] important criminal investigations around the country.’” No matter the motivation for granting certiorari¸ there are a few key, potentially dispositive, inflection points to listen for at the forthcoming Supreme Court argument.
First, how will the Court frame the issue? Microsoft argues that the case involves a threat to individual privacy, but the government (along with several judges of the Second Circuit) suggests that the focus on privacy is a red herring because the government complied with the most significant privacy-protecting requirements of the SCA – that a warrant be issued by a neutral magistrate based upon a finding of probable cause. Judge Gerard E. Lynch, concurring in the Second Circuit order reversing the District Court, contends, and others agree, that “uphold[ing] the warrant here would not undermine basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country.” Instead, what is really at stake, according to Judge Lynch, is “whether Microsoft can thwart the government’s otherwise justified demand for the emails at issue by the simple expedient of choosing—in its own discretion—to store them on a server in another country.” 
Second, the Supreme Court must address whether, in using the term “warrant,” Congress adopted a legal term of art meant to restrict the government’s access to documents located within this country’s borders, or whether the term “warrant” is irrelevant because the SCA merely requires that, after a proper legal showing is made, a recipient produce its records no matter where those documents are located. Or, the justices could potentially walk the line and conclude, as several of the judges of the Second Circuit have, that even if Congress meant to invoke all of the “domestic connotations” typically associated with the term “warrant,” the warrant at issue still does not implicate the presumption against extraterritoriality because it can be executed entirely within the United States. As Judge Jose A. Cabranes, dissenting in the denial of a rehearing en banc noted, “Microsoft lawfully had possession of the emails . . . had access to the emails in the United States . . . [and its] disclosure of the emails to the government would take place in the United States.”
Much of this turns on how one conceptualizes modern data – the subject of fierce debate among the judges on the Second Circuit, not to mention the parties. As noted by Judge Dennis Jacobs, the approach of the majority of the judges who issued the panel decision in the Second Circuit drew heavily on a comparison of the data to paper documents: “‘items’ and ‘material’ and ‘content’ that are ‘located’ and ‘stored’ in Ireland.” Of course, if the data is “located” in Ireland, it follows that executing the warrant would constitute an extraterritorial application of the SCA. However, in the words of Judge Jacobs, if modern data is, in fact, intangible and is not “stored” or “located” in data-centers in the “same way that books are stored on shelves,” then compliance with the warrant would not constitute an extraterritorial application of the statute because Microsoft “need only touch some keys in Redmond, Washington” in order to produce responsive material.
Finally, if the decision tree follows certain branches, the Supreme Court may have to address potential conflicts of law and issues of international comity. In particular, if the Court finds that an SCA warrant operates as a hybrid subpoena, no conflict of laws would arise because, as the government argued, “international norms have long recognized that a sovereign retains the authority to order an entity within its jurisdiction to repatriate records.”  However, as Microsoft and several amici have emphasized, a ruling in the government’s favor could create international discord and possibly put American companies in the difficult position of having to violate the laws of countries in which they operate in order to comply with an SCA warrant.
Ultimately, it will be up to Congress to weigh all of the various interests at stake. In the meantime, though, practitioners, privacy advocates, and citizens should watch what happens in the Supreme Court when a badly outdated statute suffers a head-on collision with modern technology.
Reprinted with permission from the February 2, 2018 edition of the New York Law Journal© 2018 ALM Media Properties, LLC. All rights reserved.
 In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 855 F.3d 53, 61 (2d Cir. 2017)(noting that the information in question is “easily accessible in the United States at a computer terminal”).
 Morrison v. Nat’l Austl. Bank Ltd., 561 U.S. 247, 249 (2010).
 In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 210 (2d Cir. 2016), cert. granted sub nom. United States v. Microsoft Corp., 138 S. Ct. 356 (2017).
 Id. at 213.
 Id. at 214.
 Id. at 213-14.
 Id. at 220.
 Br. for the U.S. at 15.
 Amicus Br. for the U.K. at 4.
 See Amicus Br. for Members of Congress at 1 (noting that amici curiae “have introduced or co-sponsored the International Communications Privacy Act, bipartisan legislation currently under consideration by Congress which aims to establish a comprehensive framework to govern when and to what extent U.S. warrants may be used to access data stored abroad.”).
 Supra note 1 at 63 (citation omitted)(Cabranes, J., dissenting)(rehearing en banc denied); see also id. at 70 (noting the “immediate and serious adverse consequences of such a ruling”)(Raggi, R., dissenting)(rehearing en banc denied); id. at 76 (“The denial of en banc review hobbles both this specific Government investigation as well as many others, important not only to the United States but also foreign nations. The Government's interest in continuing critical investigations into criminal activity is manifest.”)(Droney, C., dissenting)(rehearing en banc denied).
 Supra note 3 at 222 (Lynch, J., concurring).
 Id. at 224.
 Supra note 1 at 69 (Raggi, R., dissenting)(rehearing en banc denied)
 Id. at 63 (Cabranes, J., dissenting)(rehearing en banc denied).
 Id. at 61 (Jacobs, D., dissenting)(rehearing en banc denied).
Br. for the U.S. at 45.
 See Br. for Microsoft at 37 – 44; Amicus Br. for Former Law Enforcement, National Security and Intelligence Officials at 4 – 9; Amicus Br. for U.N. Rapporteur at 23 – 25; Amicus Br. for Ireland at 1.